360 likes | 728 Views
HIPAA and Home Health. ISAC October 9, 2018. Sorry, I have to do this!.
E N D
HIPAA and Home Health ISAC October 9, 2018
Sorry, I have to do this! • The contents of this presentation are provided for the purpose of information and education only and do not constitute legal advice. You are encouraged to consult competent legal counsel of your choice for all legal issues.
Due solely to the nature of the business, home health activities have a high risk in terms of meeting the obligations of HIPAA • This presentation is intended to raise the level of awareness rather than address every fact situation
Topics for Today • What is HIPAA and how is Protected Health Information defined • Dealing with PHI on the move • Communicating with patients • Social Media and HIPAA
What is HIPAA • Health Insurance Portability and Accountability Act of 1996 • Now, the focus is on protecting information that can be used to identify an individual • Identity theft is a primary concern
Quinzella Romer – former health insurance company employee • During a traffic stop, officers discovered an outstanding warrant • During pat down found a driver’s license from another person and a cell phone • Obtained a search warrant for the phone
Found over 20 screen shots on the phone that contained PHI of over 50 people. • 12 had already been victims of tax-related identity theft where the IRS paid out refunds • Sentenced to 32 months in prison and restitution of $16,264
What is PHI? • Protected Health Information (PHI) is individually identifiable health information that is: Created or received by a health care provider, health plan, employer, or health care clearinghouse that • Relates to the past, present, or future physical or mental health or condition of an individual; • Relates to the provision of health care to an individual • The past, present or future payment for the provision of health care to an individual.
PHI is so much more than just the medical record. • PHI includes information by which the identity of a person can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information.
Identifiers • Names • Medical Record Numbers • Social Security Numbers • Account Numbers • License/Certification numbers • Vehicle Identifiers/Serial numbers/License plate numbers • Internet protocol addresses • Health plan numbers • Full face photographic images and any comparable images
Web universal resource locaters (URLs) • Any dates related to any individual (date of birth) • Telephone numbers • Fax numbers • Email addresses • Biometric identifiers including finger and voice prints • Any other unique identifying number, characteristic or code • PHI is more than name, date of birth and SSN!
Breach • The impermissible or unauthorized use or disclosure of protected health information Minimum Necessary Doctrine • Requires notification to the government and the individual impacted
How to handle PHI • First and foremost, protect it! • Ensure it remains private • Ensure it is secure when in electronic format – encryption, firewalls, etc. • Access must be authorized • Do not discuss PHI in public areas such as cafeterias, breakrooms, etc. • Dispose of it properly
PHI in Transit – on the move • Laptops and cell phones • Paper • Must ensure security of PHI at all times regardless of where the “office” may be
Laptops and cell phones Two largest sources of breaches High degree of theft Email Text messages Photographs Encryption and passwords are essential
Dangers of Phishing Email • Phishing is a particularly dangerous form of spam that seeks to trick users into revealing sensitive information, such as passwords • Over 75% of breaches are because someone let the bad guys in • The best protection is to always be skeptical about e-mails – “when in doubt, throw it out!”
Why is Phishing so dangerous? • E-mails appear to come from a legitimate company and can look very official • Easy to be fooled into providing personal information in hopes of rectifying some nonexistent problem with your account • Sense of urgency created tricks people into acting without thinking
Examples • “There has been a security breach and your immediate attention is required. If you don’t update and confirm your password within 48 hours all data will be lost.” • Provides a link to access the log-in page which actually takes the person directly to the bad guys
Red Flags • A financial institution will NEVER ask you to reset your account information online • The e-mail claims there will be dire consequences unless you log in immediately • There is a link within the e-mail that takes you to the “log-in” page • Fear is attacker’s best weapon
PHI on Paper • Face sheets, plans of care, physician orders schedules, etc. • There is a lot of paper PHI floating around • Easy to misplace, leave behind or lose.
But I always keep everything in my folder/briefcase/bag Where is the folder when you run an errand Is the folder ever out of sight when serving a patient Cars at Casey’s At home Disposal of notes and cheat sheets
Always have to assume people are nosey! • What is PHI worth? • Paper will always be a soft spot
Conversations with Patients • Home health is a special setting for the delivery of health care services • Essential to maintain the “information boundaries” • Even innocent conversations can be problematic • Consider who else may be around
Social Media and HIPAA • Social media is the landmine of health care We have lost our filters • Snapchat Clarksville Nursing and Rehab Hubbard Care Center • Best advice – never post work related information or photos
Privacy still matters • OCR expects over 17,000 privacy complaints this year
The problem with social media is you can’t un-ring the bell • The magnitude of the impermissible disclosure is far greater in our electronic world
“I don’t work there anymore…” • Obligations and responsibilities continue well past the date of separation • It isn’t the agency or county that enforces the obligation, rather, it is the Office for Civil Rights, part of the Federal government
Enforcement • Oklahoma v. Bond Along with co-conspirator, stole medical records from employer, Mercy Health Used information to fraudulently open credit card accounts Charged with felony identity theft and fraud
Martha Smith-Lightfoot Took a spreadsheet containing PHI of 3,000 people “to ensure quality of care” Gave the information to her new employer Several patients complained about being contacted by the new employer about changing providers Lost her nursing license
U.S. v. Orlando Jemmott Worked in the ER of Kings County Hospital Stole PHI of 100 individuals Sold the information to another person Fired by hospital Arrested by FBI for criminal identity theft
Penalties • Fines can range from $5,000 to $2.5 million • Jail time of up to 10 years if the use was malicious or for personal gain • Criminal sanction available when the individual knowingly obtained or disclosed PHI
Do’s and Don’ts • Do keep computer sign-on codes and passwords secret and use locked screensavers • Do Not allow unauthorized persons to access your computer • Do keep notes, files, USB drives and mobile devices in a secure place and not out in the open
Do Not place PHI on a mobile device that isn’t encrypted and password protected • Do hold discussions of PHI in private areas and for job-related purposes only • Do be aware of other people listening in on your conversation
Do make sure all envelops used to mail or transport PHI are sealed and closed securely • Do follow proper procedures for proper disposal of sensitive information i.e. secure shredding • Do Not include PHI in e-mails unless the e-mail is encrypted
Bottom Line • Privacy of patients’ information is more important than ever • Whether it be on paper or in electronic form PHI must be secured at all times • HIPAA continues long past the date of separation • Think twice before posting anything work related on social media
Gary N. Jones J.D. CHC, CHPC Gary.jones@mwcompliance.com Midwest Compliance Associates, LLC 721 W. 1st Street Cedar Falls, Iowa 50613